Posts

60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.

1.19 billion images

That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.

Is it ignorance or negligence?

“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.

There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.

“Good, bad, and ugly”

Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.

  • The “Good”
    Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
  • The “Bad”
    Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
  • The “Ugly”
    That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.

New datapoints

For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.

Extra focus: USA

The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.

One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.

Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).

The following graphic highlights the situation in the US, per state affected.

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.

Recommended actions

In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.

The report

Greenbone’s updated report can be downloaded here [1].

Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Outlook

The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely

  • Health
  • Finance
  • Transport
  • Energy
  • Water
  • IT&Telecommunications

More to come in our blog.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] Greenbone Security Report – Unprotected Patient Data, a review

[2] Greenbone Whitepaper – Health Sector

15th October, 2019 Greenbone, a leading provider of vulnerability management solutions, has today extended its security feed capabilities in order to detect unprotected Picture Archiving and Communication Systems (PACS) in use by medical professionals to store and share scans, x-rays and other medical images. In September 2019, Greenbone revealed that approximately 700 million images – relating to more than 24 million patient records – were exposed on the internet due to poorly secured PACS servers.

Sensitive patient data requires complete protection yet Greenbone’s research identified some 2,300 medical image archiving systems visible on the public internet. A significant proportion of these servers allowed unsecured access to image files containing sensitive data such as patient names, birth and examination dates, as well as the reason for the examination.

The new Greenbone vulnerability tests are designed to help hospitals, radiology clinics and other healthcare facilities avoid data leaks in the future. Included in the security feed of Greenbone’s vulnerability management solution, these tests enable healthcare customers to identify unprotected PACS servers within their image archives. They will also receive notifications about whether an encrypted connection is used, if patient data is retrievable, and whether any authentication is configured. Customers can also check the Application Entity Titles (AET) of these systems. These titles control access to certain image databases but often follow standardised formats, making them susceptible to brute force attacks.

Crucially, the tests check whether it is possible for the public to access these PACS servers, together with the data and images they contain. If the test is positive, administrators can take immediate action to close any gaps in security.

Dirk Schrader, cyber resilience architect at Greenbone, commented: ‘Several security researchers have criticised PACS servers for being readable and vulnerable to attack, but what shocked us was the true extent of the problem. Our analysis uncovered unsecured PACS systems in use all over the world; a situation that simply cannot be allowed to continue. By extending the capabilities of the Greenbone Security Feed to test for unprotected PACS, we hope to make it much easier for health providers to protect confidential patient data and images, both now and well into the future.’

These new tests are available to customers using Greenbone Security Manager (GSM), Greenbone Community Edition (GCE) or Greenbone Vulnerability Management (GVM). Users of the Greenbone Community Feed can find further information on the community page or can contact Greenbone support for general information on how to fix vulnerabilities and the Vulnerability Tests (VT) provided as part of the Security Feed.